How is the data being provided to the NDLP instances?
Prevent will require a web proxy (MWG) or email proxy (MEG) to send the data over to be inspected.
Discover requires a scan to be configured via the Manager to target a location with data (file share, http, database) to pull data from.
Monitor needs eth2 or eth3 set to span or tap traffic from the switch in order to see it.
I don't know how I can run Prevent and Monitor.
I have virtual switch which is switched to the operation mode of the hub and the traffic is completely duplicated.
I install all network applianses to VM esxi. I set eth2 to Monitor.
What do I need else?
For Monitor I assume all of your traffic flows are on an internal address space. In the Manager web GUI, go to "SYSTEM - System Administration - Capture Filters". Under the Monitor's name, there's a Network Filters section. The first one should be "Ignore-RFC1918". Click the "X" at the far right to remove it.
By default the internal network traffic is ignored to minimize chatter. Note: you won't be able to see any encrypted traffic unless you're terminating ssl over a proxy before it's passed to the Monitor.
Anyone who is just beginning to install and configure NDLP, I recommend to view the following video:
Installing NDLP (any device) on a virtual machine will be extremely difficult without the installation instructions on the VM from McAfee. This instruction is not in free access, technical support (Gold) will not assist in the installation NDLP on a VM. Therefore, the solution of the puzzle called "instructions, which is not in freely accessible" everyone decides for themselves.